Arbor Networks has unearthed a new malware family, dubbed Soraya, which combines techniques from the infamous ZeuS and Dexter Trojans to steal payment card data via infected point-of-sale (PoS) terminals.
The vendor’s Security Engineering and Response Team (ASERT) revealed in a blog post that the newly discovered malware has already stolen thousands of payment cards.
Having managed to track one command and control server after the attacker temporarily placed card data in a publically accessible location, the Arbor team found that the majority of compromised cards associated with the C&C were issued by banks in the US (65%), Canada (11%) and Costa Rica (21%).
Following those came South Africa (0.8%), Brazil and Russia (0.4%) and the UK, Poland, Mexico and Panama (0.1%).
Soraya uses a similar “memory scraping” technique to Dexter, with one thread responsible for the process, Arbor senior research engineer Matthew Bing explained in the blog post.
“It does this by creating the mutex POSMainMutex to ensure it is the only thread operating. Every five seconds, the thread will iterate through the list of processes with Process32Next(), ignoring system processes with names shown in Figure 1,” he added.
“It will check memory regions for each process with VirtualQueryEx(), ignoring those with the PAGE_NOACCESS or PAGE_GUARD values set. Valid memory regions are copied with ReadProcessMemory() and examined for payment card data.”
Soraya also borrows from ZeuS in how it intercepts data sent from web browsers.
“Soraya has clearly taken inspiration from the Dexter and the Zeus families. The ‘split brain’ functionality of both memory scraping and form grabbing is Soraya’s most unique trait,” concluded Bing.
"In past campaigns, memory scrapers have been uniquely targeted at point-of-sale devices and form grabbers have been uniquely targeted at online bank users.”
The blending of the two techniques is yet another example of the ingenuity and adaptability of cyber criminal gangs, and why law enforcers and security researchers are always playing catch up.
However, this week has seen one positive proactive move by law enforcers, when the FBI, UK National Crime Agency and Europol joined forces to disrupt the GameOver Zeus botnet and CryptoLocker.
“The agencies in the different countries are pooling resources and intelligence to hit the operators of this malware in a large-scale strike while also educating the public and using free tools to help assess and protect their computers,” said Tripwire director of security R&D Lamar Bailey.
“It is great to see multiple countries and organizations work together pooling resources and intelligence to attack a common target. Hopefully this is a sign of things to come.”